I'm trying to create a terraform module for Aws lightsail. The container is using an image from a private ECR repo. Adding the ECR repo via the console is simple but not feasible for IAC.I have a sample configuration but it doesn't seem to work as intended. The policy is attched to the role but it doesn't pull the image. What do i need to do different?
resource "aws_iam_role" "ecr_image_puller_role" {
name = "ecr_image_puller_role"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "lightsail.amazonaws"
},
"Action" : "sts:AssumeRole"
}
]
})
}
# Attach ECR Pull Policy to the Role
resource "aws_iam_policy" "ecr_pull_policy" {
name = "ecr_pull_policy"
description = "Policy allowing access to pull images from ECR"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource" : "arn:aws:ecr:eu-west-2:767397947330:repository/flask-blog"
}
]
})
}
resource "aws_iam_role_policy_attachment" "attach_ecr_pull_policy" {
role = aws_iam_role.ecr_image_puller_role.name
policy_arn = aws_iam_policy.ecr_pull_policy.arn
}
I'm trying to create a terraform module for Aws lightsail. The container is using an image from a private ECR repo. Adding the ECR repo via the console is simple but not feasible for IAC.I have a sample configuration but it doesn't seem to work as intended. The policy is attched to the role but it doesn't pull the image. What do i need to do different?
resource "aws_iam_role" "ecr_image_puller_role" {
name = "ecr_image_puller_role"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "lightsail.amazonaws"
},
"Action" : "sts:AssumeRole"
}
]
})
}
# Attach ECR Pull Policy to the Role
resource "aws_iam_policy" "ecr_pull_policy" {
name = "ecr_pull_policy"
description = "Policy allowing access to pull images from ECR"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource" : "arn:aws:ecr:eu-west-2:767397947330:repository/flask-blog"
}
]
})
}
resource "aws_iam_role_policy_attachment" "attach_ecr_pull_policy" {
role = aws_iam_role.ecr_image_puller_role.name
policy_arn = aws_iam_policy.ecr_pull_policy.arn
}
1 Answer
Reset to default 0AWS Lightsail doesn’t directly assume a role to pull images from ECR. Instead, Lightsail uses its service principal (lightsail.amazonaws) to interact with ECR. This is managed via ECR repository resource-based policies.
so you need to add the policy to the ECR instead, here's an example:
# Define an ECR repository
resource "aws_ecr_repository" "flask_blog" {
name = "flask-blog"
}
# Attach a policy to the ECR repository to allow Lightsail to pull images
resource "aws_ecr_repository_policy" "lightsail_ecr_policy" {
repository = aws_ecr_repository.flask_blog.name
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "AllowLightsailPull",
"Effect" : "Allow",
"Principal" : {
"Service" : "lightsail.amazonaws"
},
"Action" : [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
})
}
Unlike ECS or Lambda, where you explicitly need to add a role for them allowing them to interact with the ECR, Lightsail relies entirely on the ECR resource based policy, and it manages the authentication internally and it doesn't use the IAM role.
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1742351717a4427652.html
评论列表(0条)